Developing secure image forensic tools, capable of granting good performance even in the presence of an adversary aiming at impeding the forensic analysis, turns out to be a difficult task, given the weakness of the traces the forensic analysis usually relies on . As a matter of fact, a number of Counter-Forensics (CF) tools have been developed, whose application hinders a correct image forensic analysis . Early CF techniques were rather simple, as they consisted in the application of some basic processing operators like noise dithering, recompression, resampling or filtering [3, 4, 5]. Though often successful, the application of general post-processing operators, sometimes referred to as laundering, does not guarantee that the forensic traces are completely erased and hence does not necessarily result in the failure of the forensic analysis.
When the attacker has enough information about the forensic algorithm, much more effective CF techniques can be devised. By following the taxonomy introduced in , we say that we are in a Perfect Knowledge (PK) scenario, when the attacker has complete information about the forensic algorithm used by the analyst. In the PK case, very powerful CF techniques can be developed allowing the attacker to prevent a correct analysis by introducing a limited distortion into the attacked image. Generally speaking, the attacker needs only to solve an optimisation problem looking for the image which is in some sense closest to the image under attack and for which the output of the forensic analysis is the wrong one. Even if such an optimisation problem may not be always easy to solve, the exact knowledge of the decision function allows the application of powerful techniques either in closed form [7, 8, 9], or by relying on gradient-descent mechanisms [10, 11].
In many cases, the attacker has only a Limited Knowledge (LK) about the forensic algorithm 
. Let us consider, for example, the case of a machine learning based detector looking for the traces left within an image by a particular processing algorithm. The attacker may know only the type of detector used by the analyst, e.g. a Support Vector Machine (SVM) or a Neural Network (NN), and the feature space wherein the analysis is carried out, but he may not have access to the training data. In this case, the attacker can build a surrogate version of the detector by using its own training data, and carry out the attack on the surrogate detector, hoping that the attack will also work on the detector used by the analyst[6, 10, 11]. In other cases, the attacker may know only the feature space used by the detector. In such a situation, he may resort to a so-called universal CF strategy capable of defeating any detector working in the given feature space . In most cases, the attack works by modifying the attacked-image so that its representation in the feature space is as close as possible to the representation of an image chosen in a dataset of images belonging to the desired class (e.g. non-compressed or pristine images) . In , for instance, the attack works by bringing the histogram of the attacked image as close as possible to that of an image belonging to a reference dataset of pristine images, by solving an optimal transport problem. In , a similar strategy is applied in the DCT domain to attack any double JPEG detector relying on the first order statistics of block DCT coefficients.
Several anti-CF techniques have also been developed in the last years. The most common approach consists in looking for the traces left by the CF tools, and develop new forensic algorithms explicitly thought to expose images subjected to specific CF techniques. The search for CF traces can be carried out by relying on new features explicitly designed for this target as in [15, 16, 17, 18]
, or, from a more general perspective, by using the same features of the original forensic technique and design an adversary-aware version of the classifier, as in[19, 20]. In the latter case, it is recommendable to adopt a large feature space allowing enough flexibility to distinguish original and tampered images as well as images processed with the CF operator. If we assume that the attacker knows that the traces left by the CF tools may themselves be subjected to a forensics analysis, we fall in a situation wherein CF and anti-CF techniques are iteratively developed in a never-ending loop, whose final outcome can hardly be foreseen 
. Some attempts to cast the above race of arms between the forensic analyst and the attacker by resorting to game theory have been made in and . In order to ease the mathematical analysis, such works, usually assume that the forensic analysis is carried out in a simple feature space, like in  where the detector is assumed to rely on first order statistics only, or , where the space of strategies available to the analyst and the attacker is limited to a few parameters defining the behaviour of the forensic and CF algorithms. In some cases, it is also possible to predict who between the attacker and the analyst is going to win the game according to the distortion that the attacker may introduce to impede the forensic analysis .
Yet in other works, the structure of the detector is designed in such a way to make CF harder. In , the output of multiple classifiers is exploited to design an ensemble classifier exhibiting improved resilience against adversarial attempts to induce a detection error. In , the robustness of a two-class classifier and the inherent superior security of one-class classifiers are exploited to design a one and a half class detector, that is proven to provide an extra degree of robustness under adversarial conditions. Other approaches to improve the security of machine-learning classifiers are described in [27, 28, 29], for applications outside the realm of image forensics. Despite all the above attempts, however, when the attacker knows the feature space used by the analyst, very powerful CF strategies can be designed whose effectiveness is only partially mitigated by the adoption of anti-CF countermeasures.
In order to restore the possibility of a sound forensic analysis in an adversarial setting, and give the analyst an advantage in his race of arms with the attacker, in this work, we propose to randomise the selection of the feature space wherein the analysis is carried out. To be specific, let us assume that to achieve his goal - hereafter deciding between two hypotheses and about the processing history of the inspected image - the analyst may rely on a large set of, possibly dependent, features. The number of features used for the analysis may be in the order of several hundreds or even thousands; for instance, they may correspond to the SPAM features described in  or the rich feature set introduced in . In most cases, the use of all the features in is not necessary and good results can be achieved even by using a small subset of . Our proposal to secure the forensic analysis is to randomise it by choosing a random subset of - call it - and let the analysis rely on only; in a certain sense, the randomisation of the feature space can be regarded as a secret key used by the analyst to improve the security of the analysis. Given its ignorance about the exact feature set used by the analyst, the attacker must attack the entire feature set . As we will show throughout the paper, with both theoretical and experimental results, not only attacking the entire set increases the complexity of the attack, but it also diminishes its effectiveness, since there is no guarantee that attacking a detector working in the full feature space will also result in a successful attack against a detector working in the reduced set .
The rest of this paper is organised as follows. In Section II, we revise prior works using randomisation to improve the security of image forensic techniques and more in general that of any detector or classifier. In Section III, we give a rigorous formulation of image manipulation detection via random feature selection, and analyse the theoretical performance of the random detector under simplified, yet reasonable, assumptions. In Section IV, we exemplify the general strategy introduced in Section III by developing an SVM detector based on randomised feature selection within a restricted subset of SPAM features, designed to detect two different kinds of image manipulations, namely adaptive histogram equalization and median filtering. In Section V, we analyse the security of the detectors described in Section IV against targeted attacks carried out in the feature and the pixel domains. As it will be evident from the experimental analysis, random feature selection considerably increases the strength required for a successful attack at the expense of a negligible performance loss in the absence of attacks. Finally, in Section VI, we draw our conclusions and highlight some directions for future research.
Ii Related works
The use of randomisation to improve the security of a detector or a classifier is not an absolute novelty since it has already been proposed is several security-oriented applications.
Early attempts to use randomisation as a countermeasure against attacks were focusing on probing or oracle attacks, i.e. attacks that repeatedly query the detector in order to get information about it and then use such an information to build an input signal that evades the detection111Probing attacks are usually carried out when no any a-priori knowledge about the classifier is available to the attacker. (see for instance  for an example related to one-bit watermarking and  for the use of randomisation in the context of machine learning). In all these works, the outcome of the detector is randomised by letting the output be chosen at random for points in the proximity of the detection boundary. In general, boundary randomisation only increases the effort necessary to the attacker to enter (or exit) the detection region; in addition, it also causes a loss of performance in the absence of attacks, that is, the robustness of the system decreases.
Other strategies exploiting randomness to prevent the attacker from gathering information about the detector have been adopted for spam filtering, intrusion detection  and multimedia authentication . A rather common approach consists in the use of randomisation in conjunction with multiple classifiers. In , for instance, randomness pertains to the selection of the training samples of the individual classifiers, while in  is associated to the selection of the features used by the classifiers (here referred to as random subspace selection), each of which is trained on the entire training set. Another randomisation strategy, used in conjunction with multiple classifiers, has been proposed in  and experimentally evaluated for spam filtering applications. Specifically, an additional source of randomness is introduced in the choice of the weights of the filtering modules of the individual classifiers. Random subspace selection has also been adopted in steganalysis , though with a different goal, that is to reduce the problems encountered when working with extremely high-dimensional feature spaces.
are often employed to elude attacks: specifically, a secret key is used to generate a random matrix which is then employed to generate the hash bits of the content, by first projecting the to-be-authenticated signal on the directions identified by the rows of the matrix and then comparing the absolute value of the projections against a threshold. Despite the apparent similarity to our work, the use of random projections for multimedia hashing differs substantially from the technique proposed in this paper. In multimedia hashing applications, the random projection is applied directly in the pixel or in a transformed domain, and is possibly followed by the use of channel coding to improve robustness against noise. The kind of traces we are looking for in multimedia forensics applications, however, are so weak that a completely random choice of the feature space would not work. For this reason, in our system, randomisation is applied within a set of features explicitly designed to work in a specific multimedia forensics scenario. As a matter of fact, the system proposed in this paper can be seen as the application of the random projection method directly in the feature space, with the projection matrix designed in such way to contain exactly one non-zero in each row, with the additional computational advantage that only the selected features need to be calculated, while a full projection matrix would require the computation of the entire feature set.
The use of feature selection for security purposes has also been proposed in . Although the idea of resorting to a reduced feature set is similar to our proposal, the set up considered in  differs considerably from the one adopted in this paper. In , in fact, the authors search for the best reduced feature set against an attacker with perfect knowledge about the detector, i.e. an attacker who knows the choice of the feature subset made by the defender. This is different from the scenario considered here, where feature randomization works as a kind of secret key.
Iii Secure detection by random feature selection
In this section, we give a rigorous definition of binary detection based on Random Feature Selection (RFS) and provide a theoretical analysis to evaluate the security vs robustness trade-off under a simple statistical model. Though derived under simplified assumptions, the theoretical analysis is an insightful one since it clearly describes the impact that the number of selected features has on the accuracy of the randomised detector both in the presence and in the absence of attacks. Even if this paper focuses on RFS, the theoretical framework considered in our analysis is a general one and can also be used to analyse other kinds of (linear) feature randomisation.
Iii-a Problem formulation
Let be an -long column vector with the image features the detector relies on. The detector aims at distinguishing between two hypotheses: - ”the image is manipulated”, and
- ”the image is original”. We assume that the probability density function (pdf) ofunder the two hypotheses is as follows:
), is a multivariate Gaussian distribution with mean(res., ), and covariance matrix (res., ). Note that assuming that the mean vectors under the two hypotheses are one the opposite of the other does not cause any loss of generality. In fact, if this is not the case, we can always apply a translation of the feature vector, for which such an assumption holds.
The derivation of the optimal detector, under the assumption that the a-priori probabilities of and are equal, passes through the computation of the log-likelihood probabilities of observing under and . By removing all the unimportant constants not depending on the underlying hypothesis, the optimum detector decides for if:
In the following, we will carry out our analysis by assuming that . In this case, the optimum decision rule can be simplified with the detector deciding for if:
In the rest of the section, we will refer to the detector expressed by equation (3) as the optimum full-feature detector.
In order to improve the security of the system, the detector randomises the decision strategy by relying on a reduced feature vector where is a random -dimensional matrix. Several different randomisation strategies can be adopted according to the form of . For the RFS detector proposed in this paper, is a matrix whose entries are all zeros except for a single element of each row which is equal to one. In addition, all nonzero entries are located in different columns. This corresponds to form by selecting at random elements of . Another possibility consists in generating all the elements of independently according to a given distribution (e.g. Gaussian) and normalising the entries so that the Euclidean norm of each row is equal to one. In this way, the randomised detector relies on the projections of the vector on random directions (Random Projection - RP). If we also require that the rows of are orthogonal to each other, multiplication by corresponds to randomly rotate the feature vector and then take only rotated features (Random Rotation - RR).
Iii-B Theoretical analysis
In this section, we analyse the trade-off between security and robustness by evaluating the performance of the randomised detector with and without attacks. As we will see, by lowering , the security of the detector increases at the price of a loss of performance in the absence of attacks, with a slightly better trade-off reached by the RFS detector.
Iii-B1 Performance in the absence of attacks (robustness)
As highlighted in the previous section, the sufficient statistics for the optimum full-feature detector is given by
The performance of the full-feature detector depend on the statistics of . Due to the normality of ,given by:
Similar values are obtained under , by replacing with . The error probability of the detector is related to the -value of the normal distribution, which is equal to:
Note that is always positive since is a positive-definite matrix and that higher values of correspond to a lower error probability. In particular, the probability of deciding in favour of when holds is:
Due to the symmetry of the problem, the probability of deciding in favour of when holds takes the same value, hence, in the following, we will generally refer to the error probability as .
In the case of randomised detection, the feature vector is: . For a given , the statistics of the observations under the two hypotheses are as follows:
where we let and . The optimum detector now decides for when:
As for the full detector, is a Gaussian r.v. with mean and variance (under ) given by:
Once again the error probability depends on the -value of the randomized detector that is equal to:
By introducing the factor
the -value of the randomised detector can be related to that of the full-feature detector as follows:
Given that is always lower than one and decreases when decreases, equations (12) and (13) determine the loss of performance due to the use of the randomised reduced-feature detector instead of the full-feature one. Since in this case the errors are due to the natural variability of the observed features, the loss of performance can be regarded as a loss of robustness.
Iii-B2 Performance under attack (security)
Given that the attacker does not know the subset of features used by the randomised detector, he is forced to attack the full-feature detector. Without loss of generality, we will assume that the attacker takes a sequence generated under and modifies it in such a way that the detector decides in favour of (). The optimum attack is the one that succeeds in inducing a decision error while minimising the distortion introduced within . Such an attack is obtained by moving the vector orthogonally to the decision boundary until , leading to:
where is the attacked feature vector and is a parameter controlling the strength of the attack: with the attacked vector is moved exactly on the decision boundary, however the attacker may decide to use a larger (introducing a larger distortion) so to move the attacked vector more inside the wrong decision region, hence increasing the probability that the attack is successful also against the randomised detector.
By construction, when applied against the full feature detector the above attack is always successful. We now investigate the effect of the attack defined in (14), when the analyst uses a randomised detector based on a reduced set of features. We start by observing that, as a consequence of the attack, the value of evaluated by the randomised detector is:
where we let:
By observing that does not depend on and hence it is a fixed value for a given , we see that the statistics of under attack depend only on the statistics of and
. These are two Gaussian random variables whose statistics are given by the following lemma.
By letting , and , we have that under :
See the appendix. ∎
It is worth observing that the result in Lemma 1 hold under the assumption that the attacker applies equation (14) even when the full-feature detector decides for , that is when . In general this will not be the case, since when the detector already makes an error due to the presence of noise, the attacker has no interest to modify . In fact, in this case, the result of the application of equation (14) would be the correction of the error made by the detector. Given that deriving the statistics of by taking into account that the attack is present only when is an intractable problem, we assume that equation (14) always holds. The results obtained in this way provide a good approximation of the real performance of the system when the error probability of the full-feature detector in the absence of attacks is negligible, i.e., when is much larger than 1.
By exploiting Lemma 1, we immediately find that:
finally yielding the -value of the randomised detector under attack:
which can be rewritten as:
The interpretation of equation (26) is rather difficult since and depend on in a complicated way. In the following section we will use numerical simulations to get more insight into the performance predicted by (26). Here we observe that the expression of can be simplified considerably when , that is when features are independent and have all the same variance, and the rows of are orthogonal, as with RFS and RR. In this case, it is easy to see that:
and hence . Equation (26) can then be rewritten as:
From equations (27) and (28), we see that the error probability under attack depends only on , that is the ratio of the norm of the vector with the mean value of the reduced set of features and the norm of the full-feature mean vector. Clearly, when the number of features used by the randomised detector decreases, the value of decreases as well. Given that the numerator in (28) is either null or negative, and given that the quantity
increases when decreases, the error probability under attack decreases with . In fact, if approaches zero, i.e., , will be close to 0, and the error probability under attack tends to 0.5. In other words, the probability that an attack against the full feature detector is also affective against a reduced detector based on one feature only is 0.5 (the improved security comes at the price of a reduced effectiveness in the absence of attacks, as stated by equation (13)). As we will see in the next section, even better results are obtained when the features are not independent. Expectedly, it is also easy to see that when , that is when all the features are used, , hence resulting in a very large error probability222In fact, when the error probability should be equal to 1. This is not the case in the present analysis due to the assumption we made that the attacker always applies equation (14), even when ..
Iii-C Numerical results
We start with the simple case of i.i.d. features. The performance predicted by the theory are reported in Fig. 1, where we show the dependence on of the error probability both in the presence (upper curves) and in the absence (lower curves) of attacks. The plots have been obtained by letting , , and averaging over 200 random choices of the matrix . We set for the leftmost plot and for the rightmost. As it can be seen, no particular difference can be noticed between the RFS and RP detectors. The security of the randomised detector increases for lower values of , while the performance in the absence attacks decreases. As predicted by equation (29), when the number of features used by the detector tends to 1, the error probability in the presence of attacks tends to 0.5, thus showing that the attack designed to defeat the full-feature detector fails to succeed when the reduced feature detector is used almost half of the times. Expectedly, the attack is more successful for larger values of .
Even if the plots in Fig. 1 refer to the RFS and RP cases, very similar results are obtained by using a random rotation (RR) matrix.
We now consider the more general case of dependent, non-identical features. To do so, we set the statistics of the host features as follows: i) constant mean vector
(we also run some simulations with a randomly generated mean vector obtaining very similar results), ii) random covariance matrix constructed by first generating a diagonal matrix with uniformly distributed random diagonal entries, and then randomly rotating the diagonal matrix so to obtain dependent features. We observe that in this way the features have different variances, however, especially after the random rotation, the difference among the variances is not big. This agrees with a practical setup in which the detector relies on normalised features. Alike in the i.i.d. case, we letand averaged the results over 200 repetitions, each time by randomly generating a new covariance matrix and a new matrix . We considered four different values of , namely: . Fig. 2 reports the results that we have obtained. Due to the randomness involved in the generation of the feature statistics, we could not control the exact value of , the values resulting from each experiment are reported in the caption of the figure. As in Fig. 1, no particular difference is observed between the RFS and RP cases, however, the overall behaviour of the detector is completely different with respect to the i.i.d. case. The error probability under attack decreases rapidly as soon as the number of features used by the detector is reduced, thus indicating a high security level. After a certain point, however, the error probability increases again approaching 0.5 when tends to 1. Such a behaviour can be interpreted as a loss of robustness rather than a loss of security. In fact, the error probability in the absence of attacks exhibits a similar increase when decreases, indicating that the detector is not able to distinguish between and by relying on few features only. Of course, such a problem has an impact also on the error probability in the presence of attacks. Overall, the reduced detector performs better in the case of dependent features, however, higher values of must be used with respect to the i.i.d. case.
Given that the particular form of the matrix does not have a significant impact on the performance of the reduced detector, in the following we focus on the RFS case only. An advantage of such an approach is its lower computational complexity. In the RR and RP cases, in fact, the detector must compute the entire feature vector and then choose only linear combinations. In the RFS case, instead, the detector can compute only the features that it intends to use, avoiding to calculate the non-selected features; this may allow a significant reduction of the complexity, especially for large values of and small values of .
Iv Application to image manipulation detection
The theoretical analysis given in the previous section suggests that a detector based on a randomised subset of features provides a better security with respect to a full-feature detector. The applicability of such an idea to real world applications, however, requires great care, since the assumptions behind the theoretical analysis are ideal ones and are rarely met in practice. Since the goal of this paper is to improve the security of image forensic techniques against counter-forensic attacks, in this section, we introduce an SVM-based detector based on random feature selection and apply it to two particular image forensic problems, namely the detection of adaptive histogram equalization and the detection of median filtering. The full feature space consists of a subset of SPAM features , however the SVM detector is trained by relying only on a random subset of the full feature set. As we will see, the loss of performance of the RFS SVM detector in the absence of attacks is very limited, even for rather small values of .
We also introduce two attacks aiming at deceiving the SVM detector. Both attacks are based on gradient descent, the first one works in the feature domain, while the second operates directly in the pixel domain. Both attacks are very powerful since they were able to prevent a correct detection in all the test images. In particular, the attack operating in the pixel domain is a very practical one since it does not require to map back the attack from the feature to the pixel-domain and can prevent a correct detection by introducing a limited distortion in the attacked image. In Section V, we will use these attacks to demonstrate the improved security ensured by the RFS detector.
Iv-a RFS SVM-based detection of image manipulations
Residual-based features, originally devised for steganalysis applications [30, 31], have been used with success in many image forensic applications, including forgery detection , detection of pixel-domain enhancement, spatial filtering, resampling and lossy compression . In particular, in this paper, we consider the SPAM feature set . Since we carried out all our tests on grey-level images, we assume that these features are computed directly on grey-level pixel values, or on the luminance component derived from the RGB colour bands. Feature computation consists of three steps. In the first step, residual values are computed; specifically, the difference 2-D arrays are evaluated along horizontal, vertical and diagonal directions. In the second step, the residual values are truncated so that their maximum absolute value is equal to . Finally, the co-occurrence matrices are computed. Depending on the value of and the order of the co-occurences considered in the computation, different sets of features with different sizes are obtained. We use second-order SPAM features with , for a dimensionality of the feature space of 686.
Based on the SPAM features, we built an SVM detector aiming at revealing Adaptive Histogram Equalization (AHE) and Median Filtering (MF). With regard to AHE, we considered the contrast-limited algorithm (CLAHE) implemented by Matlab function with . Some sample images manipulated in this way are shown in the second column in Fig. 3. With regard to MF, we considered window sizes (MF3, MF5, MF7).
To train and test the detectors, we used a set of 2000 images from the RAISE-2k dataset . Specifically, we used 1400 images for training and 600 images for testing. To speed up the experiments, the images were downsampled by factor 4 and converted to grayscale. The SVM models are built by using the tools provided by the LibSVM library . The RBF kernel is used for all the SVMs. The results of the tests are shown in the first row of Table I. All the four detectors got a 100% accuracy on the test data, thus confirming the excellent capabilities of the SVM trained with the SPAM features to detect global image manipulations like median filtering and histogram equalization.
|Attack in feature domain||100%||100%||100%||100%|
|Attack in pixel domain||100%||100%||100%||100%|
Iv-B Attack in the feature domain
In this section, we describe the feature domain attack we have implemented against the RFS SVM detectors. Before going on, we observe that carrying out the attack directly in the feature domain may not be realistic in many practical applications, since mapping back the attack into the pixel domain is not trivial. In addition, the attack procedure we have used, does not ensure that the attacked feature vector is a feasible one, that is, there is no guarantee that an image exists whose features are equal to those resulting from the attack. Nevertheless, analysing the performance of the RFS detectors in this scenario, which is undoubtedly more favourable for the attacker, already provides interesting insights about the security improvement achieved by RFS.
The attack in the feature domain has been built by following the system described in . Specifically, given a feature vector and a discriminant function , we assume that the detector decides that belongs to a manipulated image if , and to an original image otherwise. In this setup, the optimally attacked vector is determined by solving the following minimization problem:
where is a suitable distortion measure and is a safe margin, which, similarly to the parameter in Section III, permits to move the attacked vector more or less inside the acceptance region. For an SVM detector, the discriminant function can be written as:
where and are, respectively, the support value and the label of the th support vector , and where is the kernel function. In our implementation, the minimization problem is solved by using a gradient descent algorithm, where the gradient at each iteration is computed as:
The discrimination function and the corresponding gradient for different kernels are reported in Table II.
As a matter of fact, in our implementation we used the probabilistic output of the SVM rather than . The probabilistic output is built by mapping into the [0, 1] range and by letting the value correspond to a probabilistic output equal to 0.5. By indicating the probabilistic output of the SVM with , the minimization problem in (30) can be rewritten as:
where (equivalent to ) corresponds to an attacked feature vector lying on the decision boundary and values of introduce a safe margin bringing the attacked vector deeper inside the wrong detection region.
We attacked the full-feature SVM detectors for AHE and MF by applying the gradient descent attack in the feature domain, even with , the attack was able to deceive all the detectors, as reported in the second row of Table I. The distortion introduced by the attack for , and is given in Table. III. As expected the distortion increases for smaller values of . We observe that the distortion values reported in the table do not give an immediate indication of the distortion of the attacked image, due to the difficulties of mapping back the attacked feature vector into the pixel domain.
Iv-C Attack in the pixel domain
In a realistic scenario, the attacker will carry out his attack in the pixel domain. This is not an easy task due to the complicated relationship between the pixel values and the SPAM features the SVM detector is fed with. Similarly to equation (33), the goal of the attack in the pixel domain is to solve the following optimisation problem:
is the feature extraction function (i.e.) and, as before, indicates the probabilistic output of the SVM. Due to the complicated form of and to the necessity of preserving the integer nature of pixel values, gradient descent can not be applied directly to solve (34). For this reason we implemented the attack as described in , by setting to 20% the percentage of pixels modified at each iteration of the attack (see  for more details).
The results of the attack on the same dataset used in Section IV-A are reported in the last row of Table I. Only the results for are shown for simplicity. The results show that the attack always succeeds for all the detectors. The average distortion introduced within the attacked images is reported in Table IV, while some examples of attacked images are given in the third column of Fig. 3. As it can be seen, the quality of the attacked images is very good, thus proving the validity of the attack.
V Security of RFS-based manipulation detection against feature-domain and pixel-domain attacks
In this section, we show the improved security provided by RFS by testing the adaptive histogram equalization and median filtering detectors introduced in Section IV-A against the attacks presented in Sections IV-B and IV-C.
V-a Experimental methodology
In our experiments, we used the same setting described in the Section IV-A. The SVM models were trained by using a randomly selected subset of SPAM features extracted from the training set.
The processed images were attacked by using the two methods presented in Section IV-B and IV-C. In both cases we assumed that the attacker has access to a version of the full-feature SVM detectors trained on the same dataset used by the analyst. The performance of the RFS SVM detectors were then evaluated on both the attacked and non-attacked images for different values of . We repeated the experiments 100 times, each time using a different matrix . Various stopping conditions, namely , were considered for both the attacks. For the dimension of the reduced feature set, we considered values of in the range . The value of (see Table II) was obtained by means of 5-fold cross-validation carried out on the training set.
To evaluate the performance in the absence of attacks, we considered both false alarms and missed detections, while for the security in the presence of attacks, we considered only the missed detection probability, since in our setup the goal of the attacker is to induce a missed detection event.
V-B Security vs robustness tradeoff: feature domain
In this section, we describe the performance of the RFS detectors against the feature-domain attack described in Section IV-B. As we already pointed out, this is an ideal situation for the attacker, since in real applications the attacker usually does not have access to the feature domain and the inverse-mapping from the feature domain to the pixel domain is a difficult task. As we will see, despite the setup is more favourable to the attacker than in the case of a pixel domain attack, the RFS detector exhibits a good security.
Fig. 4 shows the error probability of the RFS detector as a function of with and without attacks for the MF3 and AHE detectors. As an overall trend, we see that reducing the dimension of the feature set does not impact much the performance of the detector. In fact, even with , the probability of correct detection is still for MF3 and for AHE. In the presence of attacks, the missed detection probability of the RFS detectors is significantly lower than that of the full-feature detector ( in the figure). When the stopping condition of the attack is equal to , the error probability drops immediately even for rather large values of , while for and , smaller values of are needed to make the error probability drop. The figure clearly shows that a suitable stopping condition can be found where the error probability in the absence of attacks is still negligible and the missed detection probability under attack is significantly smaller than 1. Overall, better results are obtained with AHE than with MF3. Even better results are obtained with the MF5 and MF7 detectors, due to the relative easiness of the detection task.
V-C Security vs robustness tradeoff: pixel domain
In this section, we focus on the security of the RFS detectors against the pixel domain attack introduced in  and briefly described in Section IV-C. We emphasise that, as shown in , this is an extremely general and powerful attack capable of preventing manipulation detection by introducing a very limited distortion into the image.
The overall trend of the error probability is similar to that observed for the feature-domain attack, however the error probability is now much smaller (confirming that the possibility of carrying out the attack in the feature domain, would represent a significant advantage for the attacker. By letting , for instance, the missed detection probability in the presence of attacks ranges from 0.36 to 0.55 in the case of AHE and from 0.29 to 0.59 in the case of MF3, while the error probability without attacks is equal to 0.13% and 0, respectively.
The use of machine learning tools in the context of image forensics is endangered by the relative ease with which such tools can be deceived by an informed attacker. In this paper, we have considered a particular instantiation of the above problem, wherein the attacker knows the architecture of the detector, the data used to train it and the class of features the detector relies on. Specifically, we introduced a mechanism whereby the analyst designs the detector by randomly choosing the features used by the detector from an initial large set also known by the attacker. We first presented some theoretical results, obtained by relying on a simplified model, suggesting that random feature selection permits to greatly enhance security at the expense of a slight loss of performance in the absence of attacks. Then, we applied our strategy to the detection of two specific image manipulations, namely adaptive histogram equalization and median filtering, by resorting to SVM classification, based on the SPAM feature set. The security analysis, carried out by attacking the two detectors both in the feature and the pixel domain, confirms that security can indeed be improved by means of random feature selection, with a gain that is even more significant than that predicted by the simplified theoretical analysis. In fact, the probability of a successful attack drops from nearly 1 to less than 0.4 in the realistic case that the attack is carried out in the pixel domain. We remark that, while an error probability lower than 0.4 would be preferable, this may be already enough to discourage the attacker in applications wherein ensuring that the attack is successful is a vital requirement for the attacker.
This work is only a first attempt to exploit randomisation, noticeably feature space randomisation, to restore the credibility of the forensic analysis in adversarial settings. From a theoretical perspective, more accurate models could be used to reduce the gap between the analysis carried out in Section III and the conditions encountered in real applications. From a practical point of view, the use of random feature selection with detectors other than SVMs could be explored, together with the adoption of much larger feature sets, e.g., the entire set of rich features 
. Another interesting research direction consists in the extension of our approach to counter attacks against detectors based on deep learning, specifically convolutional neural networks. In such a case, in fact, the features used by the detector are not chosen by the analyst, since they are determined by the network during the training phase, hence calling for the adoption of other forms of randomisation.
Proof of Lemma 1.
We start by proving that:
To prove such properties, we observe that the element in position of matrix is equal to . The element in position of the covariance matrix can be computed as:
Thus, and . In the same way
The expectation of is clearly equal to:
hence, based on (35), we have:
In addition, the variance of boils down to:
In a similar manner, we can prove that:
Finally, by exploiting again the properties in (35), we can write:
and then immediately:
-  T. Gloe, M. Kirchner, A. Winkler, and R. Bohme, “Can we trust digital image forensics?” in ACM Multimedia 2007, Augsburg, Germany, September 2007, pp. 78–86.
-  R. Böhme and M. Kirchner, “Counter-forensics: Attacking image forensics,” in Digital Image Forensics, H. T. Sencar and N. Memon, Eds. Springer Berlin / Heidelberg, 2012.
-  M. Kirchner and R. Bohme, “Hiding traces of resampling in digital images,” IEEE Transactions on Information Forensics and Security, vol. 3, no. 4, pp. 582–292, December 2008.
-  G. Cao, Y. Zhao, R. Ni, and H. Tian, “Anti-forensics of contrast enhancement in digital images,” in Proceedings of the 12th ACM Workshop on Multimedia and Security, ser. MM&Sec ’10. New York, NY, USA: ACM, 2010, pp. 25–34.
-  M. C. Stamm and K. J. R. Liu, “Anti-forensics of digital image compression,” IEEE Transactions on Information Forensics and Security, vol. 6, no. 3, pp. 50–65, September 2011.
-  B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Šrndić, P. Laskov, G. Giacinto, and F. Roli, “Evasion attacks against machine learning at test time,” in Proc. of Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, 2013, pp. 387–402.
-  M. Fontani and M. Barni, “Hiding traces of median filtering in digital images,” in Proc. Eusipco 2012, 20th European Signal Processing Conference. IEEE, 2012, pp. 1239–1243.
-  P. Comesana-Alfaro and F. Pérez-González, “Optimal counterforensics for histogram-based forensics,” in Proc. IEEE Int. Conf. Acoust., Speech, and Signal Process, 2013, pp. 3048–3052.
-  C. Pasquini, P. Comesaña-Alfaro, F. Pérez-González, and G. Boato, “Transportation-theoretic image counterforensics to first significant digit histogram forensics,” in 2014 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), May 2014, pp. 2699–2703.
-  F. Marra, G. Poggi, F. Roli, C. Sansone, and L. Verdoliva, “Counter-forensics in machine learning based forgery detection.” in Media Watermarking, Security, and Forensics, 2015, p. 94090L.
-  Z. Chen, B. Tondi, X. Li, R. Ni, Y. Zhao, and M. Barni, “A gradient-based pixel-domain attack against SVM detection of global image manipulations,” in Proc. WIFS 2017, IEEE International Workshop on Information Forensics and Security. Rennes, France: IEEE, 4-7 December 2017.
-  M. Barni, M. Fontani, and B. Tondi, “A universal technique to hide traces of histogram-based image manipulations,” in Proc. of the ACM Multimedia and Security Workshop, Coventry, UK, 6-7 September 2012, pp. 97–104.
-  M. Barni, M.Fontani, and B. Tondi, “A universal attack against histogram-based image forensics,” International Journal of Digital Crime and Forensics (IJDCF), vol. 5, no. 3, 2013.
-  M. Barni, M. Fontani, and B. Tondi, “Universal counterforensics of multiple compressed jpeg images,” in International Workshop on Digital Watermarking. Springer, 2014, pp. 31–46.
-  S. Lai and R. Böhme, “Countering counter-forensics: The case of JPEG compression,” in Information hiding. Springer, 2011, pp. 285–298.
-  G. Valenzise, M. Tagliasacchi, and S. Tubaro, “Revealing the traces of JPEG compression anti-forensics,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 2, pp. 335–349, 2013.
-  H. Zeng, T. Qin, X. Kang, and L. Liu, “Countering anti-forensics of median filtering,” in ICASSP 2014, IEEE International Conference on Acoustics, Speech and Signal Processing. IEEE, 2014, pp. 2704–2708.
-  A. De Rosa, M. Fontani, M. Massai, A. Piva, and M. Barni, “Second-order statistics analysis to cope with contrast enhancement counter-forensics,” IEEE Signal Processing Letters, vol. 22, no. 8, pp. 1132–1136, 2015.
-  M. Barni, Z. Chen, and B. Tondi, “Adversary-aware, data-driven detection of double JPEG compression: How to make counter-forensics harder,” in WIFS 2016, IEEE International Workshop on Information Forensics and Security. IEEE, 2016, pp. 1–6.
-  M. Barni, E. Nowroozi, and B. Tondi, “Higher-order, adversary-aware, double JPEG-detection via selected training on attacked samples,” in Proc. Eusipco 2017, 25th European Signal Processing Conference, 2017, pp. 281–285.
-  M. Barni and F. Pérez-González, “Coping with the enemy: advances in adversary-aware signal processing,” in ICASSP 2013, IEEE Int. Conf. Acoustics, Speech and Signal Processing, Vancouver, Canada, 26-31 May 2013, pp. 8682–8686.
-  M. Barni and B. Tondi, “The source identification game: an information-theoretic perspective,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 3, pp. 450–463, March 2013.
-  M. C. Stamm, W. S. Lin, and K. J. R. Liu, “Forensics vs anti-forensics: a decision and game theoretic framework,” in ICASSP 2012, IEEE Int. Conf. Acoustics, Speech and Signal Processing, Kyoto, Japan, 25-30 March 2012.
-  M. Barni and B. Tondi, “Source distinguishability under distortion-limited attack: An optimal transport perspective,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 10, pp. 2145–2159, 2016.
-  B. Biggio, G. Fumera, and F. Roli, “Multiple classifier systems for robust classifier design in adversarial environments,” International Journal of Machine Learning and Cybernetics, vol. 1, no. 1-4, pp. 27–41, 2010.
-  B. Biggio, I. Corona, Z.-M. He, P. P. Chan, G. Giacinto, D. S. Yeung, and F. Roli, “One-and-a-half-class multiple classifier systems for secure learning against evasion attacks at test time,” in International Workshop on Multiple Classifier Systems. Springer, 2015, pp. 168–180.
-  D. Lowd and C. Meek, “Adversarial learning,” in Proceedings of the eleventh ACM SIGKDD international conference on Knowledge discovery in data mining. ACM, 2005, pp. 641–647.
-  M. Barreno, B. Nelson, A. D. Joseph, and J. D. Tygar, “The security of machine learning,” Machine Learning, vol. 81, no. 2, pp. 121–148, 2010.
-  B. Biggio, G. Fumera, P. Russu, L. Didaci, and F. Roli, “Adversarial biometric recognition: A review on biometric system security from the adversarial machine-learning perspective,” IEEE Signal Processing Magazine, vol. 32, no. 5, pp. 31–41, 2015.
-  T. Pevny, P. Bas, and J. Fridrich, “Steganalysis by subtractive pixel adjacency matrix,” IEEE Transactions on information Forensics and Security, vol. 5, no. 2, pp. 215–224, 2010.
-  J. Fridrich and J. Kodovsky, “Rich models for steganalysis of digital images,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 3, pp. 868–882, 2012.
-  J.-P. M. Linnartz and M. Van Dijk, “Analysis of the sensitivity attack against electronic watermarks in images,” in International Workshop on Information Hiding. Springer, 1998, pp. 258–272.
-  O. Koval, S. Voloshynovskiy, F. Beekhof, and T. Pun, “Security analysis of robust perceptual hashing,” in Proc. of Security, Forensics, Steganography, and Watermarking of Multimedia Contents, 2008.
-  L. Breiman, “Bagging predictors,” Machine learning, vol. 24, no. 2, pp. 123–140, 1996.
-  T. K. Ho, “The random subspace method for constructing decision forests,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 20, no. 8, pp. 832–844, 1998.
B. Biggio, G. Fumera, and F. Roli, “Adversarial pattern classification using
multiple classifiers and randomisation,”
Structural, Syntactic, and Statistical Pattern Recognition, pp. 500–509, 2008.
-  J. Kodovskỳ and J. Fridrich, “Steganalysis in high dimensions: Fusing classifiers built on random subspaces,” in IS&T/SPIE Electronic Imaging. International Society for Optics and Photonics, 2011, pp. 78 800L–78 800L.
-  R. Villán, S. Voloshynovskiy, O. Koval, F. Deguillaume, and T. Pun, “Tamper-proofing of electronic and printed text documents via robust hashing and data-hiding,” in Security, Steganography, and Watermarking of Multimedia Contents IX, vol. 6505. International Society for Optics and Photonics, 2007.
-  F. Zhang, P. P. Chan, B. Biggio, D. S. Yeung, and F. Roli, “Adversarial feature selection against evasion attacks,” IEEE transactions on cybernetics, vol. 46, no. 3, pp. 766–777, 2016.
-  D. Cozzolino, D. Gragnaniello, and L. Verdoliva, “Image forgery detection through residual-based local descriptors and block-matching,” in IEEE International Conference on Image Processing, 2015, pp. 5297–5301.
-  H. Li, W. Luo, X. Qiu, and J. Huang, “Identification of various image operations using residual-based features,” IEEE Transactions on Circuits and Systems for Video Technology, vol. PP, no. 99, pp. 1–1, 2016.
-  D.-T. Dang-Nguyen, C. Pasquini, V. Conotter, and G. Boato, “Raise: A raw images dataset for digital image forensics,” in Proceedings of the 6th ACM Multimedia Systems Conference, ser. MMSys ’15. New York, NY, USA: ACM, 2015, pp. 219–224. [Online]. Available: http://doi.acm.org/10.1145/2713168.2713194
-  C.-C. Chang and C.-J. Lin, “Libsvm: a library for support vector machines,” ACM Transactions on Intelligent Systems and Technology (TIST), vol. 2, no. 3, p. 27, 2011.